i'm not sure if it's validate in RFC, but it seems legal and easy to do setcookie (setrawcookie?) in php or document.cookie = .. in javascript without escaping/urlencoding the name/value pair. i did it by "mistake" and never had a chance to fix it from server side

well yes i can remove spcified cookie in firefox for specified site or clear all cookie in IE, but this is not a way for end users

chance that your server or pages may have set such header: 1. software (that generate web pages) that didn't aware of this problem and you studdently lost all users once you have non-ascii cookie sent 2. same as above but 3rd party plugins for your software 3. cookie and session fixation that's not fixed